This invention relates generally to policy-based network management, specifically to the testing of policy prior to deployment in a policy-based network management system.
The purpose of policy-based network management is to coordinate device management across an entity""s network to enforce policies which relate to Service Level Agreements (SLAs). SLAs are agreements made between network users and the network provider. Policy is a method of translating those agreements into actions designed to provide the type and level of service agreed upon. These policies describe, in an easy to read format, sets of rules, where a rule specifies a set of conditions and an action to take when the conditions are satisfied. The conditions described in a policy generally relate to when policy should be enforced based on information embedded in the network traffic, and time conditions, etc. The actions described in a policy generally relate to Quality of Service (QoS) capabilities, e.g. bandwidth allocated or priority assigned to the traffic. By using policy-based network management, a structural format is provided wherein and network administrators can avoid the tedious process of individually configuring multiple network devices, such as routers, traffic shapers, each of which has its own particular syntax and mapping of QoS actions to device resources.
As used herein, a policy means the combination of one or more rules assigned to a network component or components. Thus any given component has only one policy per policy type assigned to it, each composed of a number of rules having their own conditions and resulting actions. As a result, such a system provides an administrator a great deal of leverage.
In general, the network administrator uses SLAs to author a set of policies of varying types, determine what enforcement points in the network should enforce these policies, and then deploy the policies to the enforcement points. The enforcement points are the components of the networks that are the targets/devices of the policy.
Deploying policy involves moving the policy onto the agent, translating the policy into target device-specific commands and applying these commands. Some targets/devices may be successfully configured, while others that cannot be configured are unable to enforce the policy. Without the ability to test a policy prior to policy deployment, it is not until this translation is in progress that such problems can be detected. As a consequence, the managed network may be placed into an ambiguous state, because when a policy deployment has failed to be completely deployed, until corrected, the network may be handicapped in its ability to carry traffic. At a minimum, the network is not able to manage traffic as intended by the network administrator creating the policy.
Currently, the effects of a policy deployment can be examined to determine what configuration changes were necessary to implement the policy. But at this point, the policy is already active and is impacting the flow of network traffic. Further, the inspection of configured network devices is a manual process, done out-of-band from the policy management system, with no correlation provided between a specific policy deployment and the device configuration.
What is needed is a mechanism which can detect problems and provide a mechanism for user feedback in advance of policy deployment, so that network traffic will not be affected.
An embodiment consistent with the present invention provides a method of testing a policy prior to deployment in a policy-based network management system. The method includes creating an abstract policy, typically by a console, storing the abstract policy, typically by a server, assigning the abstract policy to a specific target device, and transferring the assigned policy to an agent. The method further includes translating the assigned policy into specific configuration commands by the agent, testing the configuration commands prior to deployment by the specific target device, and deploying the configuration commands by the specific target device.